forked from privacyidea/privacyidea
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Changelog
1106 lines (932 loc) · 44.5 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Version 3.1, 2019-09-04
Features:
* Allow user attributes in policy conditions (#1645)
* Assign tokens and set old PIN during migration (#1619)
* Admins can only see tokens within the realm they are allowed to manage (#1713)
**Note**: During update a policy "pi-update-policy-b9131d0686eb" is added, which
gives admins the previous read rights on tokens.
* Add adminread policies for policies, events, resolvers, system, machineresolvers,
smtpserver, radiusserver, privacyidea server, periodic tasks, smsgateways. (#1495)
**Note**: During update a policy "pi-update-policy-3d7f8b29cbb1" is added, which
gives read rights to all admins to provide backward compatibility
Enhancements:
* Authentication and Challenge Response:
* RADIUS token supports a single AccessChallenge with the remote RADIUS server (#1790)
* Improving Push token performance by reusing still valid access token (#1795)
* Improving TiQR token: It returns the remaining attemps after a wrong PIN is given (#1777)
* Improving TiQR token: Make TiQR info URL configurable (#1782)
* Enhance validate check logic in regards to serials and user names (#1768)
* User may now have several TiQR tokens at the same time (#1739)
* Do not increase fail counter when *checking* for an answered challenge (#1697)
* Allow additional token specific checks when answering challenge response (#1695)
* Endpoint GET /token/challenges also takes transaction_id (#1689)
* Push token can delay the response of /validate/check, so that there is no need
to query the server to check if the push notification has been answered (#1583)
* User experience:
* Improve user experience when enrolling Yubikeys via ykpersonalize - Automatically
removing whitespaces (#1735)
* Allow user to change the token description (#1717)
* Customize Web UI page title (#1624, #1243)
* *search_on_enter* also applies to audit log (#1493)
* Allow a welcome message in the Web UI if the user has no token (#1074)
* Do not display token configuration hints in the UI to normal users (#1789)
* Management:
* Event handlers allow rollout_state as condition (#1801)
* Add script to export OTP counters (#1728)
* Allow many additional tags in email notifications: serial, user, givenname,
surname, username, userrealm, tokentype, recipient_givenname, recipient_surname,
time, date (#1703)
* Improve diagnostics script by adding SQLAlchemy URL (#1667)
* Add resolver conditions to several policy checks (#1646)
* /auth entries in the audit log now also fill in resolver and serial (#1593)
* `pi-manage backup` also backs up the FreeRADIUS configuration (#1575)
* Allow event handlers on /auth endpoint (#1567)
* Allow to force a PIN on tokens in the privacyIDEA Authenticator App (#1295)
* New policy *max_active_tokens_per_user* (#1241)
* Add image url to the otpauth QR code, allow images in e.g. FreeOTP (#1228)
* Add MAC to PSKC token export (#1663)
* Performance:
* Make the serverpool in LDAP resolver persistant improving redundancy performance (#1396)
Fixes:
* Improve the stability of the schema-update-script (#1760)
* Rearrange update order in migration scripts (#1733)
* Adapt privacyidea-token-janitor to run with the TokenOwner table (#1709)
* Reordering decorators and policy checks to avoid unnecessary error messages (#1751)
* Fix user enrollment for tokens that require certain read rights for RADIUS and
certificates by adding additional endpoint /system/names/... (#1749, #1748)
* Use same transaction ID for all user tokens even with a TiQR token (#1723)
* Improve challenge response to also check the matching of the transaction ID
right at the beginning (#1699)
* Add event API requests to Audit log (#1600)
* Fix configuring pre-eventhandler with empty condition makes authentication fail (#1658)
* Improve UI by changing the cursor on all clickable elements (#1725)
* Web UI: Focus the filter entry field in tables, when the filter is activated (#1661)
* Fix some broken links in UI (#1610)
* Fix double listing in policy list (#1132)
* Remove additional empty line in audit log in case of an error (#1707)
* Fix enrollment of certificate tokens under Python 3 (#1799)
Version 3.0.2, 2019-06-17
Fixes:
* Fix creation of table tokenover and update with PostgreSQL DB
* Fix user assignment migration with non-ascii characters in userid
Version 3.0.1, 2019-05-23
Fixes:
* Fix PUSH token issues:
* Add logic checking to setup of PUSH token (#1592)
* Remove double enrollment notification of PUSH token in WebUI (#1598)
* Fix to allow spaces in Firebase configuration (#1599)
* Add support for iOS Firebase configuration (#1608)
* Fix to allow PUSH token enrollment, even with Label-policy (#1589)
* Fix to mark PUSH token challenge answered in the database (#1584)
* Fix the validity period of the registration token (#1587)
* Beautify the vertical alignment in the Web UI top menu (#1559)
* Fix user cache configuration read - defaults to 0 (#1596)
* Remove links in audit log for normal users (#1497)
* Check UI rights for user resolvers (#1496)
* Fix placeholder in realm dropdown in login dialog (#1498)
* Fix enckey creation in Python 3 (#1594)
* Allow the usage if "browserLanguage" in custom templates (#1620)
* Open all accordions when searching for policy action (#1558)
* Fix to hide support links also in menu (#1626)
Version 3.0, 2019-04-10
Features:
* Add Push Token that receives a Firebase push notification and allows login
by confirming this notification. Works with privacyIDEA Authenticator. (#1342)
* Add a queue to offload certain tasks from the original request.
Allow sending emails via queue. (#1290)
* Add API to write your own statistics-DB-module to be able to write
to a time series DB (#1289)
* The matching policies per request get written to the audit log (#874)
* Support Python 3 (#676)
Enhancements:
* Enhance challenge response text, allows headers and footers and HTML
in the challenge text (#1384)
* Event Handlers may now depend on the user and IP address (#1435)
* Improve documentation about customization (#1377)
* Allow to use the client IP from X-Forwarded-For for all endpoints (#1399)
* The otp-counter-condition for event handlers can also match greater
than and less than (#1383)
* Allow a token to use another SMS gateway than the default (#1358)
* The policy "reset_all_user_tokens" will also work with challenge response (#1348)
* Create more readable temporary token passwords based on base58. (#1325)
* Allow support button in the UI to point to more sensible locations (#1331)
Fixes:
* Update LDAP3 dependency to 2.6 and fixes broken objectGUID (#1526)
* Allow tokentype endpoints /ttype only for the specific tokentypes (#1528)
* When logging in to the webui the client IP is only determined by
X-Forwarded-For if the original (REMOTE_ADDR) is allowed to overwrite the client ip.
(Side effect of #1392)
* Remove submodules/authmodules from git repository and from base package (#1516)
* Allow userid as integer in SQLResolver (#1513)
* Fix revocation of certificates (#1510)
* Fix manual resync of TOTP token (#1479)
* Fix audit log entry if token resync fails (#1416)
* Fix authcache to actually *write* values to the authcache (#1386)
* Fix UI language determiniation in IE (#1379)
* Fix tokenjanitor which sometimes did not delete all matching tokens (#1322)
* Fix bug in two step enrollment (#1347)
* Do not pass LDAP service account credentials in GET /resolver (#1271)
* Redirect to login page in case of missing authorization header (#1326)
* Respond with 404 if a non-existing object (like deleting event handler)
is accessed (#817)
* fix setrealm policy not to fail, if the original user does not exist (#1205)
* Optimize hidden SQL queries (#1457)
* Improve installation process and schema migration by initially stamping
the database (#1489)
Redesign:
* Remove flask imports from libs to make code more modular (#331)
* Making Token-User relation an n:m relation by moving the token assignment
into its own database table. This will allow to assign several users to
one token (#1288)
* Unify password hashing in SQLResolver by using passlib (#1372)
* Redesign the cryptolayer and replace pycrypto with cryptography (#1340)
* Remove the old statistics, that were based on the audit log in favour
of the generic event handler based statistics (#1314)
* Deterministic installation with pinned dependencies on all distributions (#1127)
Version 2.23.5, 2019-03-04
Fixes:
* Fix authcache
* Fix correct syncwindow for manually resyncing TOTP tokens
Version 2.23.4, 2019-02-06
Fixes:
* Make triggerchallenge HTTP response consistent
* Add tokentype and message to response of triggerchallenges
* Allow concurrent challenges
* Fix accepted-language to support _only_ de-DE.
* Avoid user resolving in event handler condition
* Point the support button to better landing pages
Version 2.23.3, 2018-10-26
Fixes:
* Performance: avoid using wildcard serials in functions like
get_tokens, get_realms_of_token and copy_token
* Performance: avoid reload of static configuration
* Performance: Clean up LDAP cache, so that it will not grow to big and
further LDAP cache usage optimization (#1246)
* Performance: Make signing the audit log configurable (#1262)
* Performance: Make the auth counter per token configurable (#1262)
* Performance: Fix HSM auto recovery after an HSM failure and make
MAX_RETRIES configurable (#1278)
* Fix the double get requests of challenges in the UI
* Auditlog now honors the admin realm in the policies (#1244)
* Fix description of realm dropdown policy (#1245)
* Allow token janitor to use chunk sizes
* Allow Audit rotation to be performed in chunks to avoid deadlocks.
* Improve documentation about required and optional parameters in
the SQL Audit module.
* Cast userid to string to avoid casts problems with PostgreSQL
* Update pyopenssl dependency.
Version 2.23.2, 2018-09-07
Fixes:
* Fix problem with empty username (#1227)
Version 2.23.1, 2018-09-06
Fixes:
* Fix PassOnNoUser in combination with event handler (#1206)
* Fix loading of Event handler detail view (#1210)
* Fix Challenge-Response login at Web UI (#1216)
* Fix triggerchallenge to only use active tokens (#1217)
* Write all installed package to diagnostics file and
also write the resolver config in privacyidea-diag
Version 2.23, 2018-08-29
Features:
* Add periodic tasks including a privacyidea-cron script. (#992)
* Add task module "Simple Stats" to generate time series of certain
important statistics values in privacyIDEA (#1105)
* Add task module "Event Counter" that allows to create time series of
any arbitrary event. (#1029)
* New token type: TAN list, that can also import a prefefined
list of TANs (#1057)
* Add Event Handler Pre-Handling, that e.g. allows for
even more easy token enrollment concepts (#747)
Enhancements:
* Improve performance by adding SQL pooling for SQL Audit
and SQL Resolvers. (#1167, #1140)
* Improve SQL Resolver to also verify bcrypt-hash passwords (#1172)
* Allow multiple WHERE conditions in SQL Resolver (#1039)
* Allow objectGUID as loginname in LDAP resolver for better
ownCloud support (#1076)
* Add command in pi-manage to dump audit log information (#1120)
* Add script to allow generation of AES keys on HSM (#1159)
* Improve recovery mechanism from a lost HSM connection (#1069)
* Improve Debug Logging to hide passwords in SQL connect strings (#1162)
* Add script for easy privacyIDEA standalone setup (#1093)
* ldap3, pyasn1, croniter updated in Ubuntu Launchpad repo (#1085)
* Add a script that easily gathers support and diagnostic information (#829)
* Add event handler management to pi-manage (#1119)
* Allow to customize the challenge text for challenge response tokens (#1096)
* Add user information to OATH CSV token import file (#998)
* Improve migration scripts from LinOTP to also update counter values (#1075)
* Add priority to policies to avoid contradicting policies (#1031)
* The token event handler now can delete tokeninfo (#988)
* Make the import of OATH CSV token specific, so that each
tokentype can define its own import strategy (#1066)
* The Event Counter module now allows to decrease the counter (#991)
* Allow time deltas to also contain seconds (#1033)
Fixes:
* Allow to use unicode passwords with non-ascii characters for the
connect string in SQL Resolvers (#1181)
* Fix problem that a wrong password hash was used, if user is created
in SQL Resolver (#1114)
* Fix performance issue with slow token listing (#1123)
* Fix the QR code regeneration if the user already has the maximum number
of allowed tokens (#1153)
* Fix problem with privacyidea-pip-update in case of pip version 10 (#1128)
* Fix problem if max_token_per_user was higher than 9 (#1117)
* Fix hash algorithm in QR Code (#1088)
* Set focus in username field in the login dialog (#205)
* Fix disappearing scrollbar issue (#1020)
* Fix import of SHA256 tokens (#1061)
* Convert string values to unicode in the database model to
avoid misleading "error" messages (#1000)
* Fix truncation of audit log in case of authentication failure (#1034)
* Shorten audit information to fit into the database column (#1037)
* Fix the RADIUS configuration test (#1042)
Version 2.22.1, 2018-04-20
Fixes in WebUI:
* Allow to display the messages of several C/R tokens (#995, #1004)
* Use ng-if instead of ng-show to avoid errors in the javascript console (#963)
* Remove reference to not-used system.addons.js to avoid errors in the javascript console
* Remove reference to not-used system.addons.html to avoid errors in the javascript console
* Use ng-src instead of src to avoid errors in the javascript console
* Avoid request to /false is image is not existing - avoid error in the javascript console
* Fix handling of U2F token in the WebUI login
* Require serial number in the assignment form (#1011)
* Fix PIN comparison in token enroll and token assign (#1010)
* Fix the empty username in token enroll or assign (#918)
Fixes in Server:
* Add check for serial number present (#1011)
* Fix validation of OCRA and TiQR token (#1008)
* Add retry to cope with HSM issues (#1003)
* Fix unicode in resolverconf database table with Oracle (#999)
Version 2.22, 2018-03-27
Features:
* Add automatic offline refill for Offline OTP tokens (#839)
* Return realm and resolver of the user and allow mapping
group membership to the RADIUS protocol (#896)
* Add new tokenkind (hardware, software, virtual) for all tokens (#828)
* Support Vasco tokens via Import and via Web Enrollment (#904, #903, #891)
* Add arbitrary tokeninfo field to authorization policy (#873)
* New SMPP SMS provider (#878)
* New event handler Counter for counting events for statistics and monitoring (#951)
Enhancements:
* Enhance the statistics possibilities in WebUI (#950)
* Allow reencryption of the database by importing PSKC to
a new database (#940)
* Allow token janitor to export "PW" token type to PSKC (#942)
* Also export and import the counter values of HOTP/TOTP to PSKC (#943)
* SMS token can dynamically read phone number from user source (#932)
* Email token can dynamically read email address from user source (#932)
* Add policy to ignore the validity of a U2F attestation certificate (#926)
* Improve the speed of the LinOTP migration script to cope with tens of
thousands of tokens (#914)
* pi-manage can create API tokens with a chosen validity time (#931)
* Allow user to set token description for HOTP and TOTP tokens
during enrollment (#928) (Thanks to Taylor Chase for this contribution!)
* Add timeout to SMTP server configuration (#919)
* Allow complex email templates for email tokens (#684)
* LDAP resolver now supports arbitrary multivalue attributes (#881)
* Allow Event Handler to match failing authentication (#971)
Fixes:
* Several fixes in LDAP resolver to cope with ldap3/pyasn1 version issues and
other issues (#911, #980, #982, #887)
* Skip misguiding LDAP error "AttributeError NonType" in log file (#948)
* Add missing validity time in /validate/check response for email tokens (#946)
(Thanks to Kleber Rocha/klinux for this contribution!)
* Fix the handling of the SMS expiration date (#937)
* Fix serial length in the audit table to match the serial length in the token table (#929)
(Thanks to Salvo Rapisarda for this contribution!)
* Fix Mail content sent by email token is rendered as attachment (#915)
* Fix Editing SMTP Server definition clears the password (#923)
* Fix pi-manage backup crash (Thanks to Pavol Ipoth for this contribution!)
Version 2.21.4, 2018-01-24
Fixes:
* HTTP Timeout of HTTP SMS Gateway (#889)
* Remove console.log from webui
Version 2.21.1, 2018-01-09
Fixes:
* Allow to use TLS1.1 and TLS1.2 for LDAP Resolver (#876)
Version 2.21, 2017-12-20
Features:
* Allow export of tokens to PKSC file (#790)
* Implement two-step enrollment of HOTP/TOTP tokens (#797, #863, #865, #866)
* Allow WebUI customization via policies (#795)
Enhancements:
* Add script to decrypt safeword tokens
* Allow using tags in the tokenissuer of smartphone tokens
* Try to re-establish lost HSM connections (#787)
* Allow to rotate audit log based on multiple conditions (#780, #833)
* Add dry-run option to audit log rotation (#801)
* Allow dots in realm names (#808)
* Mark empty but required fields in WebUI (#810)
* Display success information after PIN is set (#822)
* Add further tags to the user notification event handler (#824)
* Add number of users to the subscription view (#800)
* Add HTTP/HTTPS proxy settings to HTTP SMS Provider (#835)
* Federation Handler allows to forward the authorization token (#838)
* Use token janitor to export a user list (#852)
* Use HSM for random key generation if possible (#783)
* HTTP SMS Provider now takes TIMEOUT parameter into account
* Allow to configure length of generated serial numbers (#583)
Fixes:
* Fix handling of only_realm option in token event handler (#809)
* Fix scrollbar issues in WebUI (#806, #823)
* Fix OTP counter of offline token (#840)
* Fix conflicts between check_tokentype and passthru policies (#846)
* Properly reset tab tile after session has been locked (#850)
* Fix handling of fixed key size during enrollment (#820)
* Make sure that only active policies are honored (#825)
* Fix various bugs with non-ASCII data (#754)
* Fix failcounter_clear_timeout (#831)
* Only remove apache host definitions on first installation (#834)
Version 2.20.1, 2017-10-30
Fixes:
* /token/init allows to pass otpkey AND genkey=false (#793)
* Cast date to string, to fix audit search for postgresql (#786)
* Optimize the LDAP Resolver Redundancy to avoid LdapServerPoolExhaustedErrors (#802)
* Preset default realm in token enrollment (#804)
* Fix PassOnNoUser and PassOnNoToken (#798)
* Fix genkey=0 error during token enrollment (#793)
Version 2.20, 2017-09-27
Features:
* New Token-Type OCRA and DisplayTAN to support
transaction signing for online banking (#767)
* Federation Handler allows to forward authentication
requests and other REST API requests to a child
privacyIDEA system (#711)
* Improved Subscription Handling
* Allow to login with multiple loginnames (#713)
* Authentication Cache policy (#729)
Enhancements:
* !!!NOTE!!! following policies now also honor the resolvers,
which they did not previously:
(AUTH, challenge_response), (AUTH, otppin),
(AUTHZ, auth_max_success), (AUTHZ, auth_max_fail),
(AUTHZ, last_auth), (WEBUI, login_mode),
(ENROLL,losttoken_pw_contents), (ENROLL,losttoken_validity),
(ENROLL, losttoken_pw_len) (#736)
* User can regenerate the QR Code during enrollment
of smartphone app (#766)
* Administrator can define remote privacyIDEA servers
centrally (#711)
* Events can now be ordered. This is important for the
federation handling (#711)
* Specify the hash algorithm that is used to save
SQL users passwords (#745)
* Add welcome dialog for administrator (#716)
* Allow creating oracle DB (#752)
* Event Handler can use timestamps and time offsets in
conditions (#741)
* Use challenge/response token to unlock the screen of
the web UI (#702)
* Support multiple challenge/response token at the same
time (#722)
* GPG keys are generated during package installation and
show the GPG key in the import dialog (#742)
* Failcounter clearing timeout in UI (#719)
* Allow to send challenge data (like banking transaction) in
email text and SMS text.
Fixes:
* Set default loglevel from DEBUG to INFO (#765)
* Fixed PIN logging, which could lead to exceptions
* Fixed unicode handling in log messages
* Make LDAP Resolver work with utf8 (#738)
* User can only choose hash algo according to policy (#723)
* Add time period 30/60s to rollout URI (#744)
* Fix deprecation warning for flask_migrate (#734)
* Allow multiple tries for challenge/response (#708)
* Fix problem with certificate serial number (#737)
Version 2.19.1, 2017-07-02
Enhancements:
* Add "pi-manage policy load" and "pi-manage policy export". (#721)
* Allow customization via pi.cfg file.
* Add {username} and {realm} as tags for the tokenhandler. (#735)
Fixes:
* Fix pi-manage file permission for backup
* Fix search for resolver in audit log
* Allow to read old legacy time from validity period
* Fix wrong enddate with lost_token
* Fix typos
* Improve documentation for yubikey
* Improve documentation for cache decorator
* Improve documentation for webui policy
Version 2.19, 2017-05-25
Features:
* Add generic User Cache to speed up authentication (#670, #683)
* Support multiple challenge-response tokens with the same PIN (#654)
* Restrict U2F registration based on assertion certificte (#648)
* Restrict authentication with U2F devices based on assertion
certificate (#648)
* Add privacyidea-token-janitor script, that can clean orpaned or
expired tokens (#692)
* Add API for mutual key generation during enrollment for easy
Smartphone App development by introducing a generic
2-step-rollout process (#627)
* Add /validate/radiuscheck which works with rlm_rest and only uses
HTTP return codes. (#703)
Enhancements:
* Allow to unset token validity period and other tokeninfo
fields (#691)
* Add a quick-resolver test for LDAP resolvers (#688)
* Add additional tokeninfo tags {client_ip}, {ua_browser},
{ua_string} in token handler (#687)
* Allow to set decription of U2F tokens during enrollment (#685)
* Reduce the number of LDAP requests to increase authentication
performance (#664, #655, #650)
* Realm administrator is only allowed to see actions on this allowed
user realms (#663)
* Add audit rotation to pi-manage (#657)
* Speed up Audit Log calls by adding a second index (#656)
* Allow to either lock und logout the UI after timeout (#653)
* Allow string format {user}, {realm}, {serial}, {surname} in
tokenlabel policy (#646)
* Move to a consistent time format for validity period and all other
user specific times also containing the timezone (#644)
* Add TLS certificate check to LDAP machine resolver (#638)
* Make TLS certificate the default option in LDAP resolvers (#639)
* Allow to use privacyIDEA ownCloud App without subscription
file with up to 50 users.
Fixes:
* Fix the datepicker for the token validity period (#644 / #693)
* Fix LDAP resolver to respect all boolean configuration
options (#658)
* Fix serial number in challenge response validation response (#649)
Commits added in version 2.19 by:
(In the order of appearance)
* Cornelius Kölbel
* Quynh Nguyen
* Friedrich Weber
* Quoc Doan
* blinkiz
* Bernd Nicklas
Version 2.18, 2017-03-09
Features:
* Allow to disable the WebUI (#605)
* The WebUI will lock the screen after a timeout instead of
logging out the user. This allows to easily continue
configuration work. (#621)
* Improve the creation and handling of local CAs (#630, #632, #633)
Allow certificate template for certificates with different runtime
and x509v3 extensions.
Enhancements
Enhancements in Policies:
* Allow regular expressions in usernames in policies. (#581)
* Improve Policy creation with pi-manage from JSON formatted file.
* WebUI: Add action grouping in policies.
* WebUI: Add action filter in policy view.
* Allow token specific PIN policies: The SPASS token can now
have dedicated PIN policies.
* Add PIN policies for administrators during enrollment and
during assignment.
* Add WebUI policy: only search on enter being pressed (#617)
Enhancements in Event Handlers:
* Add token_validity_period condition to event handlers. (#618)
* Add additional options in token handler when creating
SMS, Email or mOTP tokens.
* Allow tokenhandler to set tokeninfo field.
* Allow tokenhandler to set syncwindow.
* Add event handler condition for count_auth_success and
cound_auth_fail
* Add event handler condition for last_auth.
* Improve Audit Log for Event Handler. Each triggered action
will now also create an audit entry. (#609)
* Allow the use of {current_time} in tokenevent handler. (#628)
Enhancements in LDAP Resolver:
* Upgrade dependency to ldap3 version >=2.1.1 to improve LDAP
performance in regards to redundancy and security
* LDAP Resolver: Use get_info in bind requests to avoid querying
of subschema. (#585)
* LDAP Resolver: Support StartTLS over Port 389.
* Simplify LDAP Resolver: Remove username from Attribute Mapping.
* Simplefy LDAP Resolver: Remove reverse filter.
Misc Enhancements:
* Automatically add user's mobile number if tokentype is SMS.
* Add example configuration for GTX messaging SMS gateway.
* Add a script "privacyidea-get-unused-tokens" to find
unused tokens
* WebUI: Add a busy indicator spinner.
* Improve the pi-manage script in regards to backup and restore.
Let you choose whether to backup encryption key or not.
Better handling for individual pathes. (#626, #623)
Fixes:
* LDAP Resolver: Verify SSL Certificate (Security)
* LDAP Resolver: Allow special characters in NTLM password
* LDAP Resolver: Allow searching for users with German umlaut
* Remove the "unsafe" notation in the QR-Code link, so that
a smartphone may import the key during HOTP/TOTP token enrollment
by clicking the link. (#620)
* Use defusexml to avoid XML bombs on token import (Security)
* Replace eval with ast.literal_evel (Security)
* Add missing attributes for U2F tokens in
validate/triggerchallenge API
* Let /validate/triggerchallenge write to audit log.
* Fix mangle policy for users and realms
* Avoid logging of password in check_user_pass in debug level
(level=10)
* Set encrypted PIN on enrollment for certificate tokens (#625)
* Remove unused policy action "motp_webprovision"
* Allow emailtext policy in triggerchallenge API (#642)
Version 2.17, 2016-12-29
Features
* Token Handler. Using the token handler the administrator
can defined actions in response to events, to modify tokens
like deleting, modifying, initilizing... tokens (#532)
* Script Event Handler or Shell Event Handler allows to
trigger an external shell script, if some event occurs. (#536)
* Add additional endpoint to trigger a challenge response
like the sending of an SMS, if the token PIN is not
available (#531)
* Policy Handling to also check for secondary resolvers of
a user. This way a user can authenticate with his primary
resolver but policy will also work for secondary resolvers (#543)
Enhancements
* The event handler conditions also determine a serial number
even if there is no serial number in the request:
If the user from the request only has one token assigned. (#571)
* Allow event definitions to be disabled (#537)
* Allow event to be addressed by a destinct name (#522)
* Improving LDAP performace by addressing different functionality
of ldap3 version 1.x and 2.x. (#549)
* Improve SQL Audit by adding the SQL Audit table to the schema.
Table is not created during HTTP request. (#557)
* Limit audit log entry age. Users may only view audit
log entries up to a certain age. (#541)
* Add checkbox to only display used actions in a policy (#573)
* In event handler: Use serial number of a user's token if the
user has only one token (#571)
* Download a filtered audit log (#539)
Fixes
* Add missing token serial number to audit log if token is
deletes (#546)
* Fix event handler saving (#551)
* HttpSMSProvider accepts status codes 201 and 202 in addition
to 200 (#562)
* Fix checkbox bug in NOREFERRALS of LDAP resolver (#563)
* Add documentation for SMS provider (#566)
* Remove 301 redirects from WebUI (#576)
Version 2.16, 2016-11-10
Featurs
* Add HSM support via AES keys (#534)
* Improved Event Handler for flexible notification (#511)
* Signed subscription files for adding and checking
for extra functionality during authentication request (#502)
Enhancements
* Allow additional filter attributes in the Audit Log (#519)
* Show or hide realms in the login dialog via policy (#517)
* Improve UI if admin is not allowed for certain actions (#516, #512)
* Disable OTP PIN during enrollment via policy (#439)
* Allow automatic sending of registration code via email (#514)
Fixes
* Allow compatibility with ldap3 >= 2.0.7 (#533 #535)
* Fix problem with Notification when no tokenowner is available (#528)
* Fix confusion of client HTTP parameters (#529)
* Fix enabled flag with certain database types (#527)
* Catch error in case of faulty overrideClient definition (#526)
* Truncate Audit lines, that are too long for the DB table (#525)
Version 2.15, 2016-10-06
Features
* Client Overview. Display the type of the requesting
authenticating clients (#489)
* Support for NitroKey OTP mode (admin client)
Enhancements
* Performance enhancements using Caching singletons for
Config, Realm, Resolver and Policies
* Allow configuration of the registration email text (#494)
* Return SAML attributes only in case of successful
authentication (#500)
* Policy "reset_all_user_tokens" allow to reset all
failcounters on successful authentication (#471)
* Client rewrite mapping also checks for
X-Forwarded-For (#395, #495)
Fixes
* Fixing RemoteUser fails to display WebUI (#499)
* String comparison in HOSTS resolver (#484)
Version 2.14, 2016-08-17
Features
* Import PGP encrypted seed files
* Allow UserNotification for user actions
* Allow UserNotification on validate/check events,
to notify the user on a failed authentication or
a locked token.
Enhancements
* Add thread ID in REST API Response
* Performance improvement: Cache LDAP Requests #473
* Performance improvement: Optimize resolver iteration #474
* Add "Check OTP only" in WebUI
* Improve "get serial by OTP" in WebUI
* Add script to get serial by OTP
Fixes
* Restrict GET /user for corresponding admins #460
Version 2.13, 2016-06-30
Features
* Allow central definition of SMS gateways
to be used with tokens. #392
* User SMS for User Notificaton Event Handler. #435
* Add PIN change setting for each token. #429
* Force PIN change in web UI. #432
Enhancements
* Performence enhancements
* speed up loading of audit log in web UI.
* avoid double loadin of tokens and audit entries in web UI. #436
* Additional log level (enhanced Debug) to even log passwords in
debug mode.
* Add new logo. #430
* Add quick actions in the token list: reset failcounter,
toggle active. #426
* REST API returns OTP length on successful authentication. #407
* Add intelligent OverrideAuthorizationClient system setting,
that allows defined proxies to reset the client IP. #395
Fixes
* Display token count in web UI. #437
* Use correct default_tokentype in token enrollment. #427
* Fix HOTP resync problems. #412
Version 2.12, 2016-05-24
Features
* Event Handler Framework #360
* local CA connector can enroll certificates
for users. Users can download PKCS12 file. #383
* Add and edit users in LDAP resolvers #372
* Hardware Security Module support via PKCS11
* Time dependent policies #358
Enhancements
* Policy for web UI enrollment wizard #402
* Realm dropdown box at login screen #400
* Apply user policy settings #390
* Improve QR Code for TOTP token enrollment #384
* Add documentation for enrollment wizard #381
* Improve pi-manage backup to use pymysql #375
* Use X-Forwarded-For HTTP header as client IP #356
* Add meta-package privacyidea-mysql #376
Fixes
* Adduser honors resolver setting in policy #403
* Add documentation for SPASS token #399
* Hide enrollment link (WebUI) is user can not enroll #398
* Fix getSerial for TOTP tokens #393
* Fix system config checkboxes #378
* Allow a realm to be remove from a token #363
* Improve the date handling in emails #352
* Sending test emails #350
* Authentication with active token not possible if
the user has a disabled token #339
Version 2.11, 2016-03-29
Features
* RADIUS Servers: Allow central definition of RADIUS servers
* RADIUS passthru policy: Authentication requests for users
with no tokens can be forwarded to a specified RADIUS server
Enhancements
* Allow objectGUID in LDAP-Resolver of Active Directory
* Use paged searches in LDAP. LDAP resolver will find all
users in the LDAP directory.
* Allow privacyIDEA instance name to be configured for
the AUDIT log
* Allow special characters in LDAP loginnames and passwords
* Add arbitrary attributes to SAML Authentication response
* Enhance the handling of YUBICO mode yubikeys with the
YUBICO API. The prefix is handled correctly.
* Allow in get_tokens to be filtered for tokeninfo.
* Add paged search in LDAP resolver. This allows responses
with more than 1000 objects.
Fixes
* Fix SMTP authentication
* Fix Enrollment Wizard for non-default realm users
* Registration process: If an email can not be delivered,
the token is deleted, since it can not be used.
Version 2.10, 2016-02-11
Features
* User Registration: A user may register himself and thus create
his new user account.
* Password Reset: Using a recovery token a user may issue a
password reset without bothering the administrator or the
help desk.
* Enrollment Wizard for easy user token enrollment
* SMTP Servers: Define several system wide SMTP settings and use
these for
* Email token,
* SMTP SMS Provider,
* registration process,
* or password reset.
Enhancements
* Ease the Smartphone App (Google Authenticator) rollout.
Hide otplen, hash, timestep in the UI if a policy is defined.
* Add import of Aladdin/SafeNet XML file.
* Add import of password encrypted PSKC files.
* Add import of key encrypted PSKC files.
Fixes
* Support LDAP passwords with special non-ascii characters.
* Support LDAP BIND with special non-ascii characters.
* Fix problem with encrypted encryption key.
* Fix upgrading DB Schema for postgresql+psycopg2.
* Fix UI displaying of saved SMS Provider.
* Do not start challenge response with a locked/disabled token.
Version 2.9, 2015-12-21
Features
* New token type: Security questions or questionnaire token.
* New token type: Paper token. OTP values printed on a piece of paper.
* Yubico Validation API: The yubikey tokens can authenticate via
/ttype/yubikey which follows the Yubico Validation Protocol.
Enhancements
* Add Web UI view to display the active challenges.
* The issuer for the Google Authenticator app can be configured.
* The LDAP machine resolver uses an LDAP server pool.
* The LDAP user resolver returns a list of mobile numbers.
Fixes
* The test email for the email token now has a sent date.
* Fix problem when using encrypted encryption key.
* Fix upper case problem when logging in to web UI
with REMOTE_USER.
* Fix allow set an empty PIN in the web UI.
* Fix import of token file in Web UI.
Version 2.8, 2015-11-26
Features
* Improve U2F support with trusted facets
* Add Challenge Response and U2F support to SAML
* Add Web UI theming
* Add possibility to use REMOTE_USER for authentication at Web UI
* Fuzzy Authentication: restrict time since last authentication
Enhancements
* Allow mangle policy when fetching ssh keys
* Add realm support to ownCloud plugin
* Support Drupal passwords in SQL resolver
* Add validity period to token enrollment
* Set default enrollment token type in Web UI
* Add scope to LDAP resolver
Fixes
* Fix failcounter reset for challenge response tokens
* Fix confusing DB errors (column exist) during installation
* Fix email token TLS checkbox saving
* Fix TOTP testing in Web UI
* Fix SMS config loading in Web UI
Version 2.7, 2015-10-03
Features
* Add support for U2F tokens
* Add signature to the API JSON response. Thus
the client can verify the response.
Enhancements
* When importing tokens, a realm can be chosen, so that all imported
tokens are immediately inserted into this realm.
* The user is able to change his password in the WebUI.
* The user can assign a token in the WebUI.
* Avoid the requiring of a PIN for some tokentypes like SSH
* Migrate to pymysql, the pure python mysql implementation
* The Audit Log tells if a previous OTP value was used again.
Fixes
* Enable login to WebUI with a loginname containing an @ sign.
* Fix the writing of logfile privacyidea.log
Version 2.6, 2015-09-09
Features
* Add OCRA base TiQR token to authenticate by scanning
a QR code.
* Add Challenge Response authentication to Web UI
* Add 4-Eyes token, to enable two man policy. Two tokens
of two users are needed to authenticate.
* "Revoke Token" lets you perform special action on token types.
Tokens can be revoke, meaning they are blocked an can not
be unblocked anymore.
Enhancements
* Add HA information in the documentation.
* Add OpenVPN documentation.
* Add challenge response policy, to define if e.g. HOTP or TOTP are
allowed to be used in challenge response mode.
* Add hotkeys for easier use of Web Ui.
* Remove wrong system wide PassOnNoUser and PassOnNoToken.
* Set default language to "en" in Web UI.
Fixes
* Fix LDAP bug #179, which allows authentication with
wrong password under certain conditions
* Small fixes in coverage tests
* Fix username in web UI during enrollment
* Fix link to privacyIDEA logo in Web UI
* Fixed bug, that user was not able to resync his own tokens.
Version 2.5, 2015-07-23
Features
* Add statistics
* Add German translation
* Add PinHandler in case of random PIN used
* Add automatic documentation of system setup
* Add ownCloud plugin
Enhancements
* Preset Email and SMS of a user when enrolling token
* Enable LDAP anonymous bind
* Add Hashalgorithms and digits to QR Code
* Add support for CentOS 6 and 7
Fixes
* Fix registration token
* Fix mOTP reuse problem
Version 2.4, 2015-06-24
* Add User Management
* Add Admin Realms to policies, to allow better policies in bigger setups
* Add API key, that can be used for accessing /validate/check
* Load PSKC Token seed files.
* Add more sophisticated logging. Severe errors via Email
* WebUI: Registrtion token can be enrolled in WebUI
* WebUI: The token seed can be displayed in WebUI after generation
* WebUI: Only the token types that are allowed to be enrolled are displayed
* WebUI: Login_Mode Policy: Disable access to WebUI for certain users
* WebUI: Add reload button in Audit view
* SQLResolver: The Where statement is used in all cases
* SSH-Token Application: Only fetch keys of the requested user
* Apache client can work with several hosts on one machine
* Documentation: Tokentypes and Supported Hardware Tokens
* Improve RADIUS module
* WebUI: Fix download of audit log
* Fix missing access right of user to GET /caconnector
Version 2.3, 2015-05-22
* Add connector to remote Certificate Authority
* Add Tokentype "certificate" to manage certificates for users
Certificates or Certificate Requests can be uploaded.
Certificate Requests (Keypair) can be generated in the browser.
* Add Tokentype "registration" for easier enrollment scenarios.
* Add TokenType "Email" to send OTP via Email.
* Add "First Steps" to online documentation
* Add handling of validity period of token
* Enable download of Audit log as CSV
* Add Resolver Priority, to handle a duplicate user in a realm
* Add TYPO3 Plugin to enable OTP with TYPO3
* Add SCIM Resolver to fetch users from SCIM services
* Fix Failcounter issue
* Fix NTLM password check
* Fix timestep during enrollment
Version 2.2, 2015-04-09
* pi-manage.py: create resolvers and realms
* pi-manage.py: manage policies
* Add LostToken UI
* Add Offline Application